New Logjam Attack on Diffie-Hellman Threatens Security of Browsers, VPNs

Researchers have uncovered a flaw in the way that some servers handle the Diffie-Hellman key exchange, a bug that’s somewhat similar to the FREAK attack and threatens the security of many Web and mail servers. The bug affects all of the major browsers and any server that supports export-grade 512-bit Diffie-Hellman cryptography.

The most serious threat from this issue likely is from advanced attackers with significant resources, i.e., intelligence agencies and other state-level attackers. The researchers behind the new attack technique say that information contained in the NSA documents stolen and leaked by Edward Snowden shows that the agency may have been able to break the prime numbers used in Diffie-Hellman key exchange. That would give the agency access to the traffic to and from the VPN, HTTPS and SSH servers whose security depends upon those primes.

“Millions of HTTPS, SSH, and VPN servers all use the same prime numbers for Diffie-Hellman key exchange. Practitioners believed this was safe as long as new key exchange messages were generated for every connection. However, the first step in the number field sieve—the most efficient algorithm for breaking a Diffie-Hellman connection—is dependent only on this prime. After this first step, an attacker can quickly break individual connections,” says an explanation of the vulnerability and attack, which was researched by a group of academic and industry experts from Johns Hopkins University, Microsoft, the University of Michigan and elsewhere.

“We carried out this computation against the most common 512-bit prime used for TLS and demonstrate that the Logjam attack can be used to downgrade connections to 80% of TLS DHE EXPORT servers. We further estimate that an academic team can break a 768-bit prime and that a nation-state can break a 1024-bit prime. Breaking the single, most common 1024-bit prime used by web servers would allow passive eavesdropping on connections to 18% of the Top 1 Million HTTPS domains. A second prime would allow passive decryption of connections to 66% of VPN servers and 26% of SSH servers. A close reading of published NSA leaks shows that the agency’s attacks on VPNs are consistent with having achieved such a break.”

The vulnerability can be exploited by a technique being called the Logjam attack, which allows an attacker to downgrade a vulnerable server to a weak, 512-bit connection. As in the FREAK attack, this requires the attacker to be in a man-in-the-middle position, but if the attack is successful, it would give the attacker the ability to read any of the supposedly secure traffic on that connection. The vulnerability derives from an issue in the TLS protocol itself.

“The attack is reminiscent of the FREAK attack, but is due to a flaw in the TLS protocol rather than an implementation vulnerability, and attacks a Diffie-Hellman key exchange rather than an RSA key exchange. The attack affects any server that supports DHE_EXPORT ciphers, and affects all modern web browsers. 8.4% of the Top 1 Million domains were initially vulnerable,” the attack explanation says.

The researchers, who include noted cryptographer Matthew Green at Johns Hopkins and J. Alex Halderman at the University of Michigan, have written a detailed technical report on the attack and its implications. In assessing how widespread the effects of the problem are, the researchers found that 8.4 percent of the top one million sites are vulnerable to the attack on HTTPS; and 14.8 percent of servers in the IPv4 address space that support SMTP and StartTLS are vulnerable.

All of the major browsers are vulnerable to the Logjam attack, but the vendors are deploying fixes now, so users should ensure that they are on the most recent release of their browsers. This attack is the most recent in an ever-growing list of vulnerabilities and attack techniques that have seriously undermined some of the Internet’s more broadly deployed security protocols, such as SSL and TLS. In addition to FREAK, the last few years also have seen the emergence of the BEAST, CRIME and POODLE attacks, as well as the OpenSSL Heartbleed vulnerability.

But the newest discovery may be the most important, given the implications for the security of systems such as VPNs and SSH servers.

“Our calculations suggest that it is plausibly within NSA’s resources to have performed number field sieve precomputa- tions for at least a small number of 1024-bit Diffie-Hellman groups. This would allow them to break any key exchanges made with those groups in close to real time. If true, this would answer one of the major cryptographic questions raised by the Edward Snowden leaks: How is NSA defeating the encryption for widely used VPN protocols?,” the researchers say in their paper.